AWS Route 53 – Resolving Multilevel Subdomain with Application Load Balancer

amazon-route53amazon-web-servicesdomain-name-systemload balancing

Within AWS I terminate TLS at an Application Load Balancer. I have configured a wildcard TLS certificate with AWS' Certificate Manager (ACM), e.g. *.example.com. I have AWS Route 53 resolving *.example.com, but I have nothing for *.*.example.com as I have no need for this.

I know you can't configure wildcard certificates for multi-level domains such as *.*.example.com.

https://x.example.com is all good and responds with a valid certificate. I get a certificate error with https://y.x.example.com, which makes sense. I have no need to serve multi-level subdomains such as *.*.example.com.

I would like to be able to block all multi-level domain requests such as https://y.x.example.com or just not have Route 53 resolving. Basically I want a Rule that says any host for https://*.*.example.com return 404 or for the Host not to be resolved.

In the application load balancer I have 2 listeners port 80 and port 443.

I can configure a rule for the port 80 listener which works fine for http://x.y.example.com and I can return a 404, when I configure the same rule for port 443 it does not work. Which I guess makes sense because the browser can't complete the TLS handshake.

If I complete an nslookup for x.example.com and y.x.example.com I get the same NameServers, I won't have expected Route 53 to resolve y.x.example.com.

So, I am looking for the answer to one of two questions:

How does one configure AWS Load balancer to block all wildcard multi-level subdomains on Port 443?
Why is Route 53 resolving y.x.example.com/ how to stop Route 53 resolving same?

Best Answer

If this is about the HTTPS/TLS case specifically, I do not see this being possible in any meaningful way.
If you don't have a valid certificate for the name that the client is trying to connect to, you do not have the means to send a valid response (like the 404 response mentioned in the question) in the first place, regardless the configuration on the server side.
For the plain HTTP case, it may be possible to do something like what was asked for based on a Host condition, but I am not sure that it's actually possible to distinguish the single-level vs multi-level case there. I am not sure that the plain HTTP case is that interesting these days anyway, though.
This is how wildcards work in DNS. Looking up a DNS name that is not part of an existing branch of the tree (regardless if one or more labels are missing) will match a wildcard record above it.
It is also worth noting that * only works as a wildcard when it is the left-most label. *.example.com works as a wildcard, *.foo.example.com works as a wildcard, but foo.*.example.com, foo*.example.com or *foo.example.com are not wildcards in DNS.
I do not believe you have a practical way of using wildcards while getting the "only one level" functionality that you are asking for (with DNS wildcards in general or Route53 specifically). Consider instead adding the specific names that you actually need (dynamically if need be), or otherwise live with the normal wildcard behavior.

Overall, I suspect that the best option is to not use wildcards in DNS, and then not have the problem of clients connecting to the ELB using these undesired names.

Related Solutions

Ssl – EC2 Load balancer and wildcard/multi-domain SSL certificates

I'd suggest one certificate per site (that way you can easily add a fourth site, or remove one of the existing, without touching the certs of the others).

Whether you want a wildcard for each site, or a multidomain which lists all possible subdomains depends on your setup.

If everything is in one location (EC2), wildcard is probably the cheaper and easier way w/o giving up security.

If you host stuff (for the same domain) in different locations (EC2 and own datacenter), I'd suggest multi-domain certs for every location. That way if one of the locations gets compromised, they cannot impersonate the other location (which would be possible with the wildcard cert or one multidomain listing all services of that domain).

Subdomain using AWS Route 53, load balancer, EC2, Apache

I havent worked with much AWS, but the general way of doing it will be as follows.

Let say currently you have example.com hosted in Route53, so Route53 is the authoritative nameserver for your example.com zone. Now if you want a subdomain called client.example.com which again needs to point to the same IP address where example.com.

So in that case create a CNAME record where example.com will be canonical name and client.example.com will be alias record.

Once this is done now example.com and client.example.com will both resolve to the same IP address i.e to the Load balancer.

If you prefer to share the same DocumentRoot of example.com to client.example.com you have noting extra to do. But if you want to serve different content then create a Name-Based Virtual host in Apache.

Update

As you want both demo.example.com and example.com to serve different contents you have to create a Name-Based virtual host in Apache.

The configuration will be looking like

<VirtualHost *:80>
     ServerName example.com
     ServerAlias www.example.com
     DocumentRoot /var/www/main
</VirtualHost>

<VirtualHost *:80>
     ServerName demo.example.com
     DocumentRoot /var/www/content
</VirtualHost>

The above configuration will serve file from /var/www/main if request is for http://example.com or http://www.example.com. And it will serve files from /var/www/content if the request is for http://demo.example.com.

Best Answer

Related Solutions

Ssl – EC2 Load balancer and wildcard/multi-domain SSL certificates

Subdomain using AWS Route 53, load balancer, EC2, Apache

Related Topic